Geeking out on wireless

Is anyone else excited about Unifi Mesh???

I was browsing around the Unifi site while troubleshooting an issue and just noticed Unifi is releasing a new line of products. It looks like Christmas came early. 

The jury is still out on the performance of the new products. 

This new line of products are indoor/outdoor access points specifically designed for plug and play mesh technology. Which means no more annoying wireless adoption then setting up the uplink in the controller. *In theory it should be easier. 

What will be interesting is the Mesh Pro ( UAP-AC-M-PRO) because the specs indicate this access point will be a beast. It has 3x3 MIMO on both bands.  

https://unifi-mesh.ubnt.com/

As easy as 1..2..3 well almost anyways

Easy Unifi setup

It has come to my attention that there is an easy way to setup Unifi Access Points. Take your unadopted wireless access point and plug it into the local network. (Won't work if Access Point already adopted to controller)

Install the Unifi app which is available on Android or iOS. Have the app in non-controller mode. You should be able to see the access point and set it up all through your phone!!!! 

This is only for basic setup. More advanced configurations will need to have the controller installed. But this easy setup is enough to create an SSID and password which is enough for the average consumer. 

Wireless Uplink Issues, not worth the effort.

Wireless Issues: Solution just abandon wireless uplink on UAP devices. 

I recently spent the weekend troubleshooting my slow wireless and dropouts. It appears that for my home setup the wireless uplink was a terrible idea. Although, I many more "bars" of wireless with uplink, I found that it also resulted in significantly degraded performance vs. a standalone access point. Roughly 1/10th the speed.

This brings to my next point, wireless access points should not be used as repeaters unless designed for that specific purpose. 

- At best it results in 1/2 the speed due to the uplink. 

- If the access point has one radio, that will be used for both receiving and transmitting. 

The following link best describes why the approach of repeaters, bridgers, uplinkers often fails.
https://community.spiceworks.com/topic/988492-why-don-t-wi-fi-repeaters-work-very-well-ok-why-do-they-suck

Hosting file to pull via wget

Occasionally, I may need to host a file that I will need to pull from Linux via wget.

This short tutorial will detail how to upload a file to Dropbox and share a link in such a way that can be retrieved via wget.

The first step is to upload the file onto https://www.dropbox.com.

Subsequent step will involve sharing a link that will be available to the internet.

1. First select the Share button



2. Once uploaded select the Copy link
 

3. Change the end of the download link to have dl=1 rather than dl=0
 

Once this is done, this link can now be used to download files via wget.

This can be useful to pull binaries such as Splunk add-ons.

Mergers & Acquisitions (M&A) Data Security Due Diligence

I recently read a New York Times article called "The Chinese Hackers in the Back Office" and one paragraph especially troubled me.

"Not all companies heed the warning. A security consultant for one victim, who spoke on the condition of anonymity because of nondisclosure agreements, said that his client chose not to act on a tip from Area 1 last year out of concern that a scandal over a successful online attack against the company would jeopardize its recent acquisition. It figured its acquirer would not have been thrilled to learn that the start-up’s proprietary technology was now in Chinese hacker’s hands." - NYTimes

This is one area where information security does not get enough attention. When a larger company purchases a smaller company or organization. How much due diligence is taken to ensure that the acquisition target hasn't been already been compromised? What steps are taken to ensure that the intellectual property of the acquisition target is secure and not already in the hands of the adversary? It maybe worth the while to hire a 3rd party to audit and hunt the network to ensure that there isn't APT already in the network. 

There are implications when the acquisition target is discovered to be compromised. Does this impact the valuation? It likely does. This will also impact integration efforts. Some M&A's assume cost savings that result from the merger. Do some of those savings come from IT consolidation efforts? Depending on the extent of the compromise, you may never be able to integrate the network into your corporate environment. Depending on the capabilities of the attackers it can takes years to expunge them from the network. Or in extreme cases the existing infrastructure will need to be destroyed and built from the ground up. 

One of the reasons why I believe this doesn't get enough attention is hinted in the article. Much of this is not in the public domain. For every breach disclosure there are likely other parties that either a) don't know they have been breached b) keeping it secret.

These opinions are my own and not those of my employer. 

My wifi setup

My personal wifi setup involves using one access point connected to the back of the router provided by the ISP, with an additional access point that serves as a repeater for better coverage.

For my wireless access points, I wanted to select equipment that was close to enterprise grade that will not burn a hole in my pocket. I am looking at you Cisco Aironet. I ultimately decided with an access point from Ubiquity.

• Reputation for stability
• Affordable cost
• Good reviews 

I specifically went with the Unifi AP-AC-LR Access Point. I personally think this AP is one of the best values for a 802.11ac wireless access point. For the average consumer, the Apple Airport Extreme is a good choice.

Installation Procedure

Getting the Unifi controller to properly install and recognize the unprovisioned access points was quite the challenge. I initially tried installing the software in Windows with no success. For those installing on Windows made sure that the Windows Firewall is either off or set to allow the controller software to communicate inbound and outbound. 

I decided to install the controller on Ubuntu 14.04 and it worked! 

During the initial setup you will need to choose a name for your network and password. In addition, you will need to adopt the access point into your network.

To setup the access point that will serve as the repeater you will need to connect the device to the same layer 2 network, aka the same switch. Once you do that, adopt the AP into your network. Then disconnect the device from the switch. After a few minutes the AP will display isolated in the controller then go into settings and configure the Wireless Uplink settings to the Access Point you want it to uplink to. After this is done, both Access Points should be blue.

To setup the wireless uplink, I found the following blog entry to be helpful.

http://www.tongfamily.com/2014/05/wireless-uplink-unifi-ap/

Note: There are some versions of the Ubiquity controller that will require you to manually set the Access Points to the same channel. 

Setting up a network tap

The SecurityOnion github page is an excellent resource for those looking for the hardware needed to capture packets. There are multiple ways to tackle the problem of gathering network packets, ranging from the ghetto to full enterprise solutions. 

Basic LAN Tap
For those with a simple network, you can buy a Star LAN Tap. You can find these through a simple Google search or on the hakshop at myshopify. This is great for those that want to try out a network tap without making a large investment, as these can be had for less then $20.

Network Tap
For an enterprise network, I highly recommend buying a network tap for two reasons.
1. Network Tap captures all traffic. Other solutions may drop packets.
2. A passive Network Tap can fail over and allow traffic when power is disrupted.

I have heard good things about Netoptics/Ixia taps and would advise getting one with the ability to do port aggregation.

Span port / Port mirroring
Port spanning is another option and can use your existing network infrastructure if your switches support this capability. However, there needs to be careful consideration as the network traffic being mirrored on the Span port can overflow and lead to packet loss. For example, if the span port only supports up to 100 megabits, and you have three ports on the switch already consuming 50 megabits each, this results in a total of 150 megabits being mirrored on the span port. As a result the extra data beyond 100 megabits will get dropped.

For my own personal network, I decided to use the Netgear, GS105Ev2, switch with port mirroring capabilities. The switch was listed SecurityOnion website as possible hardware to use. The switch has had fairly stable performance but requires Windows for configuration and initial setup.

To setup the switch, you would need to first download the Prosafe Plus Configuration Utility which only works on Windows. Then run the Prosafe Plus Configuration Utility.



The software requires that the computer in which you are administering the device and the switch must be on the same subnet otherwise you will receive the following error.



I have personally found that a common cause is using a wireless connection when attempting to change the settings on the switch.

Once physically plugged into the ISP provided router / switch, I will sometimes continue to receive the same error message, "switch and manager IP address are not in the same subnet!"

I have found it helps to select IP setting on the bottom right.









Once in the IP settings, either check "Refresh" or toggle DHCP mode to be Disabled then back to Enabled.


Once successfully logged into switch. Go to System > Monitoring > Mirroring

Select Enable to turn on the Port Mirroring feature, then select the ports you want to monitor by checking Source Port, and selection the port you want to be the destination for traffic aka span port.


References:

https://github.com/Security-Onion-Solutions/security-onion/wiki/Hardware

http://hakshop.myshopify.com/products/throwing-star-lan-tap

My personal network setup, multi-part series

It has been almost half a year since I last blogged. It is time to brush off the cobwebs and start blogging! There are many ways to implement network security monitoring at home. My personal network is just one way to setup NSM in a home environment.

Wax on, wax off. 

Before eagerly buying equipment and getting hands on keyboard, general architecture and considerations need to be made. First, understand your environment and needs.

Some considerations

Where do you want visibility in your home network?  

What are your ingress/egress points?

How do most endpoints get to the internet?

Are there specific digital assets you want to gain network visibility?

Many home networks likely consist of one device that serves as the modem, switch, and wireless router. For example, this Actiontec device is usually used by Verizon FIOS customers has a router and wireless router all wrapped into one appliance.

When having a combined network gateway, you need to consider how and if you are going to monitor endpoints that connect wirelessly. If you have one of these all-in-one devices and ISP router serves as the default gateway for both wired and wireless traffic, then you will have a blindspot in your visibility of endpoints connecting to the wireless router. This is because there is no way to place an NSM solution inline before the ISP router. 

For my network architecture, I have another switch with port mirroring enabled connected to the network gateway, then I have setup a wireless access point off the additional switch. 

Stay tuned while I make another post about setting up a network tap.